The Moose and Squirrel Files

December 23, 2010

Quick and dirty UDP servers with wireshark

Filed under: Network, Wireshark — Tags: , , — networknerd @ 3:16 pm

I’m not suggesting wireshark is the right choice for production but if you need a udp server for a quick debugging session then this trick might just be worth tucking away for later.

If you need to perform a short data collection from  applications like syslog  or netflow that just pump out  udp packets then wireshark/tshark can work for you in a pinch.

Here’s the recipe for syslog.

tshark -i 2 -f "port 514" -T fields -e syslog

Using the -T fields switch allows us to specify which data to output with one or more  -e switches.  Since we have specified a protocol (syslog),  tshark prints multiple fields, in this case its the facility(LOCAL7),severity(NOTICE), and the remainder of the output below is the actual message.

Syslog message: LOCAL7.NOTICE: 27403: Dec 23 14:44:29: %SYS-5-CONFIG_I: Configured from console by root on vty0 (10.0.2.19)

The people that wrote the dissectors in wireshark have done all the hard work of interpreting the binary fields for us.  It’s worth noting that there is no documentation (that I am aware of)  for the field names. I usually just capture a couple of packets and export them in PDML format.  You can then open that file in any text editor and determine the field names from the XML.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: